• deejay4am@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    Passkeys rely on you holding a private key. The initial design was that a device (like a browser or computer/phone) stored the private key in a TPM-protected manner, but you can also store it in a password manager.

    This is more secure than a password because of the way private/public key encryption works. Your device receives a challenge encrypted with the public key, decrypts with the private key and then responds. The private key is never revealed, so if attackers get the public key they can’t do shit with it.

    Just be sure that your private key is safe (use a strong master password for your PM vault) and your passkey can’t be stolen by hacking of a website.

    • ilmagico@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      2 months ago

      I see, that makes sense and should be more secure, in theory. Thanks for the explanation.

      The issue I have is, whether I need to trust a third party with my private key, e.g. Google with Android, Microsoft with Windows, etc. (yes on linux it’s different, but that’s not my only OS).

      Also if the private key does get compromised (e.g. local malware steals it), hopefully there’s an easy way to revoke it.

      • hedgehog@ttrpg.network
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Your Passkeys have to be stored in something, but you don’t have to store them all in the same thing.

        If you store them with Microsoft’s Windows Hello, Apple Keychain, or Google Password Manager, all of which are closed source, then you have to trust MS/Apple/Google. However, Keychain is end to end encrypted (according to Apple) and Windows Hello is currently not synced to the cloud, so if you trust those claims, you don’t need to trust that they won’t misuse your data. I don’t know if Google’s offering is end to end encrypted, but I wouldn’t trust it either way.

        You can also store Passkeys in a password manager. Bitwarden is open source (though they did recently introduce a proprietary, source available SDK), as is KeepassXC. 1Password isn’t open source but can store Passkeys as well.

        And finally, you can store Passkeys in a compatible security key, like the YubiKey 5 series keys, which can each store 100 Passkeys. This makes them basically immune to being stolen. Note that if your primary interest in Passkeys is in the phishing resistance (basically nearly perfect immunity to MitM attacks) then you can get that same benefit by using WebAuthn as a second factor. However, my experience has been that Passkey support is broader.

        Revoking keys involves logging into the particular service and revoking them, just like changing your password. There isn’t a centralized way to do it as far as I’m aware. Each Passkey is only used for a single service, after all. However, in the same way that some password managers will offer to automatically change your passwords, they might develop a similar for passkeys.